Panda Group using NSA tools, RATs and Crypto-Miners to mine Monero
Cisco’s Talos threat intelligence group revealed on Tuesday that a new threat actor has generated thousands of dollars in the Monero crypto currency using remote access tools (RATs) and crypto currency mining malware.
Christened ‘Panda’ by Talos, it is reportedly not a sophisticated actor, but is highly active, focused on persistently exploiting vulnerable web applications worldwide. Panda’s tools allow it to traverse networks, while the use of RATs also leaves enough room for data theft. The group is capable of updating its exploits on the fly and relies on exploits released by Shadow Brokers for infiltration, as well as Mimikatz for credential-dumping.
It was initially associated with the MassMiner campaign, then it was shortly after linked to another widespread mining campaign that used a different set of command and control (C&C) servers. Panda has since updated not only the infrastructure, but also its portfolio of exploits and payloads.
The cybercriminals behind Panda have been observed targeting organizations in multiple industry sectors including the banking, healthcare, transportation, telecommunications, and IT services sectors.
The actor was exploiting a WebLogic vulnerability (CVE-2017-10271) to drop a miner associated with MassMiner in July last year. The hackers were scanning enmasse for vulnerable servers and also attempted to exploit an Apache Struts-2 vulnerability (CVE-2017-5638) in addition to a PowerShell exploit being used to download a miner payload. Panda was also observed using Gh0st RAT and dropping other hacking tools and exploits, including Mimikatz and exploits that the Shadow Brokers are said to have stolen from the National Security Agency (NSA).
Talos estimates that Panda has amassed an amount of Monero that is currently valued at around $100,000.
Talos researchers spotted elements of the MassMiner attacks being used in a campaign that employed a different C&C server, suggesting that the same actor might have been behind both. In March this year, it was using new infrastructure, although the tactics, techniques, and procedures (TTPs) remained similar. Exploit modules designed for lateral movement were still used, many related to the NSA exploits.
In January 2019, the threat actor was exploiting a flaw in the ThinkPHP web framework to spread similar malware. Thereafter, Panda started employing an updated payload, which used the Certutil tool in Windows to download the secondary miner payload. Over the past month, Panda has updated its C&C and payload-hosting infrastructure, but the employed malware remains relatively similar to what was used previously and in August, the hackers added new set of domains to their inventory.
Talos states that Panda’s payloads are also not very sophisticated and it’s operational security remains poor, with many of their old and current domains all hosted on the same IP and their TTPs remaining relatively similar throughout campaigns.